Use an ingress gateway to access a WebSocket service in an ASM instance - Alibaba Cloud Service Mesh

WebSocket is a computer communications protocol that provides full-duplex communication channels over a single Transmission Control Protocol (TCP) connection. WebSocket is located at the application layer in the Open Systems Interconnection (OSI) model. WebSocket allows a server to push data to clients. Services that comply with WebSocket are WebSocket services. This topic shows you how to use an ingress gateway to access a WebSocket service in a Service Mesh (ASM) instance.

Prerequisites

An ASM instance is created. For more information, see Create an ASM instance.
An ACK managed cluster is created. For more information, see Create an ACK managed cluster.
The cluster is added to the ASM instance. For more information, see Add a cluster to an ASM instance.
An ingress gateway service is deployed. For more information, see Create an ingress gateway service.
An application is deployed in the ASM instance. For more information, see Deploy an application in an ASM instance.
An ASM instance of Enterprise Edition or Ultimate Edition is created. For more information, see Create an ASM instance.
An ASM instance of Enterprise Edition or Ultimate Edition is created and the instance is of the latest version. For more information, see Create an ASM instance.
A kubectl client is connected to the cluster. For more information, see Connect to ACK clusters by using kubectl.

Step 1: Deploy a sample application

Use kubectl to connect to the ACK cluster. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.

Use the following content to create a YAML file named tornado:

apiVersion: v1
kind: Service
metadata:
  name: tornado
  labels:
    app: tornado
    service: tornado
spec:
  ports:
  - port: 8888
    name: http
  selector:
    app: tornado
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: tornado
spec:
  replicas: 1
  selector:
    matchLabels:
      app: tornado
      version: v1
  template:
    metadata:
      labels:
        app: tornado
        version: v1
    spec:
      containers:
      - name: tornado
        image: registry.cn-beijing.aliyuncs.com/aliacs-app-catalog/asm-wss-server-sample:latest
        imagePullPolicy: Always
        ports:
        - containerPort: 8888
---

Run the following command to create the tornado application:
```
kubectl apply -f tornado.yaml
```

Step 2: Configure a routing rule

Log on to the ASM console.
In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
Create an Istio gateway.Gateway
1. On the details page of the ASM instance, choose ASM Gateways > Gateway in the left-side navigation pane. On the Gateway page, click Create from YAML.
2. On the Create page, select default from the Namespace drop-down list and copy the following content to the code editor. Then, click Create.
```
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: tornado-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
```
  Set the number parameter to 80. This way, the WebSocket service can receive inbound or outbound HTTP and TCP traffic over port 80.
Create a virtual service.VirtualService
1. On the details page of the ASM instance, choose Traffic Management Center > VirtualService in the left-side navigation pane. On the page that appears, click Create from YAML.
2. On the Create page, select default from the Namespace drop-down list and copy the following content to the code editor. Then, click Create.
```
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: tornado
spec:
  hosts:
  - "*"
  gateways:
  - tornado-gateway
  http:
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        host: tornado
      weight: 100
```
  Set the hosts parameter to *. This way, all requests can access the WebSocket service.

Step 3: Query the IP address of the ingress gateway

Log on to the ACK console.
In the left-side navigation pane of the ACK console, click Clusters.
On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
In the left-side navigation pane of the details page, choose Network > Services
At the top of the Services page, select istio-system from the Namespace drop-down list. Find the ingress gateway named istio-ingressgateway and view the IP address whose port is 80 in the External Endpoint column.

Step 4: Use the ingress gateway to access the WebSocket service

Enter http://<IP address of the ingress gateway> in the address bars of four different browsers.

Run the following commands to access the WebSocket service:

curl "http://<IP address of the ingress gateway>/api?id=8&value=300"

curl "http://<IP address of the ingress gateway>/api?id=5&value=600"

curl "http://<IP address of the ingress gateway>/api?id=1&value=200"

curl "http://<IP address of the ingress gateway>/api?id=3&value=290"

View the data of the WebSocket service in the four browsers. The data of the WebSocket service in the four browsers is updated at the same time, and the same data is displayed.

Step 5: Switch to the WebSocket Secure (wss) protocol

Generate a server certificate and private key pair for the ingress gateway. Create a secret that contains the server certificate and private key pair in the istio-system namespace of the ACK cluster, and name the secret myexample-credential. For more information, see Step 1: Prepare server certificates and private keys for multiple hosts.

Modify the routing rule created in Step 2: Configure a routing rule.

Example of the YAML file:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: tornado-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
  - hosts:
    - "*"
    port:
      name: https
      number: 443
      protocol: HTTPS
    tls:
      credentialName: myexample-credential
      mode: SIMPLE

Step 6: Use the wss protocol to access the WebSocket service

Enter http://<IP address of the ingress gateway> in the address bars of four different browsers.

Run the following commands to access the WebSocket service:

curl -k "https://<IP address of the ingress gateway>/api?id=8&value=300"

curl -k "https://<IP address of the ingress gateway>/api?id=5&value=600"

curl -k "https://<IP address of the ingress gateway>/api?id=1&value=200"

curl -k "https://<IP address of the ingress gateway>/api?id=3&value=290"

View the data of the WebSocket service in the four browsers. The data of the WebSocket service in the four browsers is updated at the same time, and the same data is displayed.